From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mark Rutland <mark.rutland@arm.com>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
"David S. Miller" <davem@davemloft.net>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
James Morris <jmorris@namei.org>,
Patrick McHardy <kaber@trash.net>,
netdev@vger.kernel.org, Sasha Levin <alexander.levin@verizon.com>
Subject: [PATCH 4.9 058/104] net: ipconfig: fix ic_close_devs() use-after-free
Date: Fri, 22 Dec 2017 09:46:24 +0100 [thread overview]
Message-ID: <20171222084613.999865867@linuxfoundation.org> (raw)
In-Reply-To: <20171222084609.262099650@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit ffefb6f4d6ad699a2b5484241bc46745a53235d0 ]
Our chosen ic_dev may be anywhere in our list of ic_devs, and we may
free it before attempting to close others. When we compare d->dev and
ic_dev->dev, we're potentially dereferencing memory returned to the
allocator. This causes KASAN to scream for each subsequent ic_dev we
check.
As there's a 1-1 mapping between ic_devs and netdevs, we can instead
compare d and ic_dev directly, which implicitly handles the !ic_dev
case, and avoids the use-after-free. The ic_dev pointer may be stale,
but we will not dereference it.
Original splat:
[ 6.487446] ==================================================================
[ 6.494693] BUG: KASAN: use-after-free in ic_close_devs+0xc4/0x154 at addr ffff800367efa708
[ 6.503013] Read of size 8 by task swapper/0/1
[ 6.507452] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 4.11.0-rc3-00002-gda42158 #8
[ 6.514993] Hardware name: AppliedMicro Mustang/Mustang, BIOS 3.05.05-beta_rc Jan 27 2016
[ 6.523138] Call trace:
[ 6.525590] [<ffff200008094778>] dump_backtrace+0x0/0x570
[ 6.530976] [<ffff200008094d08>] show_stack+0x20/0x30
[ 6.536017] [<ffff200008bee928>] dump_stack+0x120/0x188
[ 6.541231] [<ffff20000856d5e4>] kasan_object_err+0x24/0xa0
[ 6.546790] [<ffff20000856d924>] kasan_report_error+0x244/0x738
[ 6.552695] [<ffff20000856dfec>] __asan_report_load8_noabort+0x54/0x80
[ 6.559204] [<ffff20000aae86ac>] ic_close_devs+0xc4/0x154
[ 6.564590] [<ffff20000aaedbac>] ip_auto_config+0x2ed4/0x2f1c
[ 6.570321] [<ffff200008084b04>] do_one_initcall+0xcc/0x370
[ 6.575882] [<ffff20000aa31de8>] kernel_init_freeable+0x5f8/0x6c4
[ 6.581959] [<ffff20000a16df00>] kernel_init+0x18/0x190
[ 6.587171] [<ffff200008084710>] ret_from_fork+0x10/0x40
[ 6.592468] Object at ffff800367efa700, in cache kmalloc-128 size: 128
[ 6.598969] Allocated:
[ 6.601324] PID = 1
[ 6.603427] save_stack_trace_tsk+0x0/0x418
[ 6.607603] save_stack_trace+0x20/0x30
[ 6.611430] kasan_kmalloc+0xd8/0x188
[ 6.615087] ip_auto_config+0x8c4/0x2f1c
[ 6.619002] do_one_initcall+0xcc/0x370
[ 6.622832] kernel_init_freeable+0x5f8/0x6c4
[ 6.627178] kernel_init+0x18/0x190
[ 6.630660] ret_from_fork+0x10/0x40
[ 6.634223] Freed:
[ 6.636233] PID = 1
[ 6.638334] save_stack_trace_tsk+0x0/0x418
[ 6.642510] save_stack_trace+0x20/0x30
[ 6.646337] kasan_slab_free+0x88/0x178
[ 6.650167] kfree+0xb8/0x478
[ 6.653131] ic_close_devs+0x130/0x154
[ 6.656875] ip_auto_config+0x2ed4/0x2f1c
[ 6.660875] do_one_initcall+0xcc/0x370
[ 6.664705] kernel_init_freeable+0x5f8/0x6c4
[ 6.669051] kernel_init+0x18/0x190
[ 6.672534] ret_from_fork+0x10/0x40
[ 6.676098] Memory state around the buggy address:
[ 6.680880] ffff800367efa600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 6.688078] ffff800367efa680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 6.695276] >ffff800367efa700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 6.702469] ^
[ 6.705952] ffff800367efa780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 6.713149] ffff800367efa800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 6.720343] ==================================================================
[ 6.727536] Disabling lock debugging due to kernel taint
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: David S. Miller <davem@davemloft.net>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: James Morris <jmorris@namei.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: netdev@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ipconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -306,7 +306,7 @@ static void __init ic_close_devs(void)
while ((d = next)) {
next = d->next;
dev = d->dev;
- if ((!ic_dev || dev != ic_dev->dev) && !netdev_uses_dsa(dev)) {
+ if (d != ic_dev && !netdev_uses_dsa(dev)) {
pr_debug("IP-Config: Downing %s\n", dev->name);
dev_change_flags(dev, d->flags);
}
next prev parent reply other threads:[~2017-12-22 8:46 UTC|newest]
Thread overview: 109+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-22 8:45 [PATCH 4.9 000/104] 4.9.72-stable review Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 001/104] cxl: Check if vphb exists before iterating over AFU devices Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 002/104] arm64: Initialise high_memory global variable earlier Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 003/104] ALSA: hda - add support for docking station for HP 820 G2 Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 004/104] ALSA: hda - add support for docking station for HP 840 G3 Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 006/104] HID: corsair: support for K65-K70 Rapidfire and Scimitar Pro RGB Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 007/104] HID: corsair: Add driver Scimitar Pro RGB gaming mouse 1b1c:1b3e support to hid-corsair Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 008/104] arm: kprobes: Fix the return address of multiple kretprobes Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 009/104] arm: kprobes: Align stack to 8-bytes in test code Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 010/104] nvme-loop: handle cpu unplug when re-establishing the controller Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 011/104] cpuidle: Validate cpu_dev in cpuidle_add_sysfs() Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 012/104] r8152: fix the list rx_done may be used without initialization Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 013/104] crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 014/104] vsock: track pkt owner vsock Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 015/104] vhost-vsock: add pkt cancel capability Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 016/104] vsock: cancel packets when failing to connect Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 017/104] sch_dsmark: fix invalid skb_cow() usage Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 018/104] bna: integer overflow bug in debugfs Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 019/104] sctp: out_qlen should be updated when pruning unsent queue Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 021/104] hwmon: (max31790) Set correct PWM value Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 022/104] usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 023/104] usb: gadget: udc: remove pointer dereference after free Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 024/104] netfilter: nfnl_cthelper: fix runtime expectation policy updates Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 025/104] netfilter: nfnl_cthelper: Fix memory leak Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 026/104] iommu/exynos: Workaround FLPD cache flush issues for SYSMMU v5 Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 027/104] r8152: fix the rx early size of RTL8153 Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 028/104] tipc: fix nametbl deadlock at tipc_nametbl_unsubscribe Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 029/104] inet: frag: release spinlock before calling icmp_send() Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 030/104] pinctrl: st: add irq_request/release_resources callbacks Greg Kroah-Hartman
2017-12-22 8:45 ` [PATCH 4.9 031/104] scsi: lpfc: Fix PT2PT PRLI reject Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 036/104] hwmon: (asus_atk0110) fix uninitialized data access Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 037/104] i2c: mux: pca954x: Add missing pca9546 definition to chip_desc Greg Kroah-Hartman
2017-12-22 9:32 ` Peter Rosin
2017-12-22 15:05 ` Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 038/104] HID: xinmo: fix for out of range for THT 2P arcade controller Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 039/104] ASoC: STI: Fix reader substream pointer set Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 040/104] r8152: prevent the driver from transmitting packets with carrier off Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 041/104] s390/qeth: size calculation outbound buffers Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 042/104] s390/qeth: no ETH header for outbound AF_IUCV Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 043/104] bna: avoid writing uninitialized data into hw registers Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 044/104] i40iw: Receive netdev events post INET_NOTIFIER state Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 045/104] IB/core: Protect against self-requeue of a cq work item Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 046/104] infiniband: Fix alignment of mmap cookies to support VIPT caching Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 047/104] nbd: set queue timeout properly Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 048/104] net: Do not allow negative values for busy_read and busy_poll sysctl interfaces Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 049/104] IB/rxe: double free on error Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 050/104] IB/rxe: increment msn only when completing a request Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 051/104] i40e: Do not enable NAPI on q_vectors that have no rings Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 052/104] RDMA/iser: Fix possible mr leak on device removal event Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 053/104] irda: vlsi_ir: fix check for DMA mapping errors Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 054/104] netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 055/104] netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 056/104] ARM: dts: am335x-evmsk: adjust mmc2 param to allow suspend Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 057/104] cpufreq: Fix creation of symbolic links to policy directories Greg Kroah-Hartman
2017-12-22 8:46 ` Greg Kroah-Hartman [this message]
2017-12-22 8:46 ` [PATCH 4.9 059/104] KVM: pci-assign: do not map smm memory slot pages in vt-d page tables Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 060/104] virtio-balloon: use actual number of stats for stats queue buffers Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 061/104] virtio_balloon: prevent uninitialized variable use Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 062/104] isdn: kcapi: avoid uninitialized data Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 063/104] net: moxa: fix TX overrun memory leak Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 064/104] xhci: plat: Register shutdown for xhci_plat Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 065/104] netfilter: nfnetlink_queue: fix secctx memory leak Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 066/104] Btrfs: fix an integer overflow check Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 067/104] ARM: dma-mapping: disallow dma_get_sgtable() for non-kernel managed memory Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 068/104] cpuidle: powernv: Pass correct drv->cpumask for registration Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 069/104] bnxt_en: Fix NULL pointer dereference in reopen failure path Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 070/104] backlight: pwm_bl: Fix overflow condition Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 071/104] crypto: crypto4xx - increase context and scatter ring buffer elements Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 072/104] rtc: pl031: make interrupt optional Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 073/104] kvm, mm: account kvm related kmem slabs to kmemcg Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 074/104] net: phy: at803x: Change error to EINVAL for invalid MAC Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 075/104] PCI: Avoid bus reset if bridge itself is broken Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 076/104] scsi: cxgb4i: fix Tx skb leak Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 077/104] scsi: mpt3sas: Fix IO error occurs on pulling out a drive from RAID1 volume created on two SATA drive Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 078/104] PCI: Create SR-IOV virtfn/physfn links before attaching driver Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 079/104] PM / OPP: Move error message to debug level Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 080/104] igb: check memory allocation failure Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 081/104] ixgbe: fix use of uninitialized padding Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 082/104] IB/rxe: check for allocation failure on elem Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 083/104] PCI/AER: Report non-fatal errors only to the affected endpoint Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 084/104] tracing: Exclude generic fields from histograms Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 085/104] ASoC: img-parallel-out: Add pm_runtime_get/put to set_fmt callback Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 086/104] fm10k: fix mis-ordered parameters in declaration for .ndo_set_vf_bw Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 087/104] scsi: lpfc: Fix secure firmware updates Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 088/104] scsi: lpfc: PLOGI failures during NPIV testing Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 089/104] vfio/pci: Virtualize Maximum Payload Size Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 090/104] fm10k: ensure we process SM mbx when processing VF mbx Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 091/104] net: ipv6: send NS for DAD when link operationally up Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 092/104] staging: greybus: light: Release memory obtained by kasprintf Greg Kroah-Hartman
2017-12-22 8:46 ` [PATCH 4.9 093/104] clk: sunxi-ng: sun6i: Rename HDMI DDC clock to avoid name collision Greg Kroah-Hartman
2017-12-22 8:47 ` [PATCH 4.9 094/104] tcp: fix under-evaluated ssthresh in TCP Vegas Greg Kroah-Hartman
2017-12-22 8:47 ` [PATCH 4.9 095/104] rtc: set the alarm to the next expiring timer Greg Kroah-Hartman
2017-12-22 8:47 ` [PATCH 4.9 096/104] cpuidle: fix broadcast control when broadcast can not be entered Greg Kroah-Hartman
2017-12-22 8:47 ` [PATCH 4.9 097/104] thermal: hisilicon: Handle return value of clk_prepare_enable Greg Kroah-Hartman
2017-12-22 8:47 ` [PATCH 4.9 098/104] thermal/drivers/hisi: Fix missing interrupt enablement Greg Kroah-Hartman
2017-12-22 8:47 ` [PATCH 4.9 099/104] thermal/drivers/hisi: Fix kernel panic on alarm interrupt Greg Kroah-Hartman
2017-12-22 8:47 ` [PATCH 4.9 100/104] thermal/drivers/hisi: Simplify the temperature/step computation Greg Kroah-Hartman
2017-12-22 8:47 ` [PATCH 4.9 101/104] thermal/drivers/hisi: Fix multiple alarm interrupts firing Greg Kroah-Hartman
2017-12-22 8:47 ` [PATCH 4.9 102/104] MIPS: math-emu: Fix final emulation phase for certain instructions Greg Kroah-Hartman
2017-12-22 8:47 ` [PATCH 4.9 103/104] platform/x86: asus-wireless: send an EV_SYN/SYN_REPORT between state changes Greg Kroah-Hartman
2017-12-22 8:47 ` [PATCH 4.9 104/104] Revert "Bluetooth: btusb: driver to enable the usb-wakeup feature" Greg Kroah-Hartman
2017-12-22 16:02 ` [PATCH 4.9 000/104] 4.9.72-stable review Greg Kroah-Hartman
2017-12-22 18:29 ` Guenter Roeck
2017-12-23 13:57 ` Greg Kroah-Hartman
2017-12-22 22:34 ` Dan Rue
2017-12-23 9:16 ` Greg Kroah-Hartman
2017-12-22 21:10 ` Shuah Khan
2017-12-23 22:55 ` Guenter Roeck
2017-12-25 13:36 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171222084613.999865867@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@verizon.com \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).